Quite recently, your correspondent was in conversation with a colleague who was a victim of credit-card fraud. A hacker had been able to charge $500 worth of gas to her card by falsely claiming to be the card-holder and had repeated the scam with other local businesses in the area (my colleague runs a food-catering business). Like anyone who finds out that they have been breached, she contacted her credit card company to alert them of the scam and to also prevent the hacker from compromising other users’ data. The credit company offered to change her information, but declined to investigate the matter. Their exact words: “It’s not our area of jurisdiction.”
Unsatisfied, she contacted the bank organization she belonged to, and they told her the same thing: “It’s not our bailiwick.” Undeterred, she called the local police department and then the state attorney’s office. It was still a no-go. Eventually, she found a competent individual to pay attention to her case. The hacker was found in the flesh (surprisingly a middle aged woman) and was forced to turn over the stolen funds in a parking lot or be taken to court.
What is most concerning about this entire debacle is how many calls it took to find someone to take this incident seriously! This is unfortunately common for victims dealing with “small-time” cyber crime. The official organizations that we are supposed to report crimes to in order to begin an investigation always believe that they have bigger fish to fry. Unless they are dealing with a hacker who has stolen an insurmountable amount of money (usually in the thousands range), they won’t take responsibility for a case.
WHY ORGANIZATIONS DON’T TAKE RESPONSIBILITY FOR “SMALL” ATTACKS
I am personally tempted to scream “Unacceptable!”, but there are understandable reasons why most organizations avoid solving small cyber crimes.
The main reason is that it is extremely difficult to find, catch, and prosecute hackers. It is a tedious process that only those with an appetite for justice and a stubborn tracking sense will have the stomach to pursue. Technical skills, stamina, and patience are required to hunt for a hacker (which can take months depending on how savvy your hacker is at covering their tracks). Once you believe you’ve found them, you need a court order (which could take a few weeks), and you need to jump through a few more bureaucratic loops (which takes more weeks).
Finding a hacker is one thing, but prosecuting them in a court of law is another. What matters most is evidence. If you do not have evidence of the actual hacking or fraud (whether it be printouts from your computer or actual records and files), then the hacking never happened. Organizations don’t want to waste their time on small court cases if there is even a 10% chance that the evidence isn’t solid. Baseline technological evidence tends to be iffy, so proving that a cyber crime took place with a computer isn’t as trusted as the DNA or fingerprints of the defendant in question.
SO WHERE DOES THIS LEAVE THE USER?
What is shocking is that many victims of cyber crime take up the investigation themselves without the backing or support of an official org. Unsatisfied with the institutions that we are supposed to trust, these individuals do all the information gathering, tracking, profiling, and zero-ing in on hackers themselves. They do all the work that official organizations are supposed to do but won’t. By taking matters into their own hands, many victims of cyber attacks (such as my colleague) have proven successful and have earned the self-imposed title of “cyber-crime detective”.
It is still unacceptable that they are put in this position. Organizations must start taking responsibility for all cyber crimes that occur; large and small. When a user calls to report an incident, that incident must be taken as a priority and not a shrug of the shoulders! Although we live in a world that is increasingly taking information security and data protection more seriously, the bigger focus remains on preventing million dollar data breaches instead of the individual users. However, organizations need to realize that most breaches are small ones, like $500 of gas money being stolen.
For all the talk about improving “cybersecurity culture”, if organizations want to take security seriously, then they need to do something about the small crimes. Of course it isn’t easy, but the fact that the victim is taking matters into their own hands tells organizations that they need to step up. The best thing they can do is to employ more personnel to investigate cyber crimes (cyber forensics is a vastly understaffed field of infosec). By finding and training qualified personnel to handle cyber crimes, orgs will be able to better understand security incidents. Most important of all, victims of cyber attacks will see a higher rate of justice deserved.